One more try to modernize US surveillance laws for the Internet age

Would revised surveillance law protect all personal data?

Recently, content providers including Google and Microsoft have been racing to comply with dueling sets of governments' provisions worldwide: one that mandates how long they must retain information about their customers, and another that mandates they must anonymize that data, or get rid of it, after a given period of time. But as university researchers including Harvard's Christopher Soghoian demonstrated, anonymization with respect to single databases may be pointless, as engineers with only meager knowledge of how databases work could conceivably reconstruct personally identifiable data by linking records from multiple databases.

This gets into the larger question of aggregate data -- information that's discoverable through manipulation. The principles proposed by Digital Due Process yesterday appear, on the surface, to apply to law enforcement requests for specific records from specific databases applicable to specific investigations. But what happens when data those agencies may already have, reveal something they didn't know they needed to know, when it's all pieced together?

We asked the CDT's Jim Dempsey: "Our principle #4 addresses this issue: It says that when the government seeks aggregate data, it must get a court order; it cannot use a prosecutor's subpoena," he told Betanews. With regard to requests for personally-identifiable data (PID) versus non-PID -- data that can be compiled to reveal PID -- Dempsey said, "ECPA does not distinguish between personally identifiable and non-personally identifiable data. Even the current law covers data that is aggregate and supposedly not personally identifiable."

But even as the principles are currently written, could new law based on those principles effectively omit aggregate data, creating a loophole? For instance, could a law enforcement agency thwart the new rules by mining data collected in the course of other, unrelated investigations; in so doing, determine new connections between elements of data; and then characterize the resulting evidence as "plain sight" discoveries?

"Nothing in current law or in our proposal limits the government's use of data already collected," responded CDT's Dempsey. "If the government lawfully acquires data one day, it can use that data months or years later in another case. ECPA and the Fourth Amendment [of the US Constitution, pertaining to citizens' protections against unreasonable searches and seizures] address forcing companies to disclose customer data; they do not address how long the government can keep the data."

In a statement issued yesterday, Sen. Patrick Leahy (D - Vt.), who currently chairs the Judiciary Committee, promised to hold a new set of hearings to consider the new group's proposals...some of which have been considered before, including in committees headed or steered by Leahy.

"I applaud the announcement today by Digital Due Process and the Center for Democracy & Technology that a coalition of privacy advocates, legal scholars, and major Internet and communication service providers have joined together to release a consensus set of proposals to modernize the Electronic Communications Privacy Act. I look forward to reviewing these ideas," stated Sen. Leahy. "While the question of how best to balance privacy and security in the 21st century has no simple answer, what is clear is that our federal electronic privacy laws are woefully outdated. In the coming months, I plan to hold hearings on much-needed updates to the Electronic Communications Privacy Act."